<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197940] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197940">197940</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-10 09:46:06 -0800 (Thu, 10 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Implement support for inline script and inline style hashes
https://bugs.webkit.org/show_bug.cgi?id=155007
<rdar://problem/24964098>
Reviewed by Brent Fulgham.
Source/WebCore:
Inspiration taken from the analogous implementation in Blink.
Add support for script-src and style-src hashes as per sections Hash usage for script elements
and Hash usage for style elements of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
Test: http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html
* WebCore.xcodeproj/project.pbxproj: Add file ContentSecurityPolicyHash.h. Also sort the list of files
in the group WebCore/page/csp.
* dom/InlineStyleSheetOwner.cpp:
(WebCore::InlineStyleSheetOwner::createSheet): Pass the content of the stylesheet when querying whether
the stylesheet is allowed by the Content Security Policy.
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::executeScript): Pass the content of the inline JavaScript script when querying
whether the script is allowed by the Content Security Policy.
* dom/StyledElement.cpp:
(WebCore::StyledElement::styleAttributeChanged): The Content Security Policy style-src hashes do not apply
to inline styles defined in the HTML style attribute. So, pass a null string (to indicate the absence of
content) when querying whether the inline style is allowed by the Content Security Policy.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::toCryptoDigestAlgorithm): Convenience function that maps a ContentSecurityPolicyHashAlgorithm
enumerator to a CryptoDigest::Algorithm enumerator.
(WebCore::isAllowedByAllWithHashFromContent): Computes the digest of the specified content for each
hash algorithm and checks if digest matches a hash that was specified in a policy.
(WebCore::ContentSecurityPolicy::documentEncoding): Added.
(WebCore::ContentSecurityPolicy::allowInlineScript): Check if the hash of the script matches a known
hash if applicable. Otherwise, fall back to checking the URL of the script.
(WebCore::ContentSecurityPolicy::allowInlineStyle): Check if the hash of the stylesheet matches a
known hash if applicable. Otherwise, fall back to checking the URL of the stylesheet.
* page/csp/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::addHashAlgorithmsForInlineScripts): Adds the specified set of
hash algorithms to the existing set of hash algorithms we know are used for inline scripts.
(WebCore::ContentSecurityPolicy::addHashAlgorithmsForInlineStylesheets): Adds the specified set of
hash algorithms to the existing set of hash algorithms we know are used for inline stylesheets.
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::checkEval): Make this a static, non-member function because it does not depend on any
instance or class variables. Mark this function as inline to give a hint to the compiler that it
should consider inlining the implementation of this function into the caller.
(WebCore::checkInline): Ditto.
(WebCore::checkSource): Ditto.
(WebCore::checkHash): Checks if the directive allows content with the specified hash.
(WebCore::checkMediaType): Make this a static, non-member function because it does not depend on
any instance or class variables. Mark this function as inline to give a hint to the compiler that
it should consider inlining the implementation of this function into the caller.
(WebCore::ContentSecurityPolicyDirectiveList::create): Modified as needed now that WebCore::checkEval()
is a static, non-member function.
(WebCore::ContentSecurityPolicyDirectiveList::allowInlineScriptWithHash): Added.
(WebCore::ContentSecurityPolicyDirectiveList::allowInlineStyleWithHash): Added.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Modified to pass the hash algorithms seen
from parsing the directives script-src, style-src, and default-src to the ContentSecurityPolicy object.
(WebCore::ContentSecurityPolicyDirectiveList::checkEval): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::checkInline): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::checkSource): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::checkMediaType): Deleted.
* page/csp/ContentSecurityPolicyDirectiveList.h:
* page/csp/ContentSecurityPolicyHash.h: Added.
(WTF::DefaultHash<WebCore::ContentSecurityPolicyDigest>::Hash::hash): Compute the hash of a digest as
we would compute the hash of a string.
(WTF::DefaultHash<WebCore::ContentSecurityPolicyDigest>::Hash::equal): Compare digests for equality
by making use of Vector's equality operator.
* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::matches): Checks if the hash is in the set of known hashes.
(WebCore::ContentSecurityPolicySourceList::parse): Modified to call ContentSecurityPolicySourceList::parseHashSource()
to try to parse the source list expression as a hash source. If this fails then we try to parse the
source expression as a scheme/host/port expression.
(WebCore::parseHashAlgorithmAdvancingPosition): Parses the hash algorithm from a hash source expression.
(WebCore::isBase64Character): Returns whether the specified character is a valid Base64/Base64url character,
excluding the padding character '='. Disregarding the omission of the padding character '=', this function
conforms to the ABNF grammar defined in section Source Lists of the Content Security Policy Level 3 spec.,
<https://w3c.github.io/webappsec-csp> (Editor’s Draft, 29 February 2016). We take the padding character '='
into account in ContentSecurityPolicySourceList::parseHashSource().
(WebCore::ContentSecurityPolicySourceList::parseHashSource): Parses a hash source expression per the ABNF
grammar described in section Source Lists of the Content Security Policy Level 3 spec.
* page/csp/ContentSecurityPolicySourceList.h:
(WebCore::ContentSecurityPolicySourceList::hashAlgorithmsUsed): Returns the set of hash algorithms seen from
parsing the source list.
(WebCore::ContentSecurityPolicySourceList::allowInline): We only allow inline scripts/stylesheets if
'unsafe-inline' was specified in the source list and the source list does not contain any hash sources.
* page/csp/ContentSecurityPolicySourceListDirective.cpp:
(WebCore::ContentSecurityPolicySourceListDirective::allows): Checks if the specified hash is in the source list.
* page/csp/ContentSecurityPolicySourceListDirective.h:
(WebCore::ContentSecurityPolicySourceListDirective::hashAlgorithmsUsed): Turns around and calls ContentSecurityPolicySourceList::hashAlgorithmsUsed().
LayoutTests:
Add new test http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html to ensure that
script hashes are interpreted correctly. Update many existing tests that had a hash source with
a SHA-1 hash to use a SHA-256 hash. The valid hash algorithms are SHA-256, SHA-384, and SHA-512
per the Content Security Policy Level 3 spec. At the time of writing, Blink also supports SHA-1.
* TestExpectations: Mark many CSP 1.1 tests as PASS so that we run them. Remove entries for tests
http/tests/security/contentSecurityPolicy/1.1/{script, style}hash-default-src.html as these tests
now pass.
* http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptEpilogue.js: Added.
* http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptPrologue.js: Added.
* http/tests/security/contentSecurityPolicy/1.1/resources/testScriptHash.php: Added.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed.html: Update test as SHA-1 is not
a supported hash algorithm per the Content Security Policy Level 3 spec.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-malformed-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html: Update test
as SHA-1 is not a supported hash algorithm per the Content Security Policy Level 3 spec.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html: Update test
as SHA-1 is not a supported hash algorithm per the Content Security Policy Level 3 spec.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashbasicblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashbasicblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashignoreunsafeinlineexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashignoreunsafeinlinehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashmalformedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-malformed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashunicodenormalizationhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashbasicblockederroreventhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashbasicblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashbasicblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashsvgstylebasicblockederroreventhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreWebCorexcodeprojprojectpbxproj">trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceWebCoredomInlineStyleSheetOwnercpp">trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp</a></li>
<li><a href="#trunkSourceWebCoredomScriptElementcpp">trunk/Source/WebCore/dom/ScriptElement.cpp</a></li>
<li><a href="#trunkSourceWebCoredomStyledElementcpp">trunk/Source/WebCore/dom/StyledElement.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectivecpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectiveh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcesdidRunInlineScriptEpiloguejs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptEpilogue.js</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcesdidRunInlineScriptProloguejs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptPrologue.js</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcestestScriptHashphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/testScriptHash.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashdefaultsrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashdefaultsrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src-expected.txt</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyHashh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyHash.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/ChangeLog 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,3 +1,43 @@
</span><ins>+2016-03-10 Daniel Bates <dabates@apple.com>
+
+ CSP: Implement support for inline script and inline style hashes
+ https://bugs.webkit.org/show_bug.cgi?id=155007
+ <rdar://problem/24964098>
+
+ Reviewed by Brent Fulgham.
+
+ Add new test http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html to ensure that
+ script hashes are interpreted correctly. Update many existing tests that had a hash source with
+ a SHA-1 hash to use a SHA-256 hash. The valid hash algorithms are SHA-256, SHA-384, and SHA-512
+ per the Content Security Policy Level 3 spec. At the time of writing, Blink also supports SHA-1.
+
+ * TestExpectations: Mark many CSP 1.1 tests as PASS so that we run them. Remove entries for tests
+ http/tests/security/contentSecurityPolicy/1.1/{script, style}hash-default-src.html as these tests
+ now pass.
+ * http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptEpilogue.js: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptPrologue.js: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/resources/testScriptHash.php: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed.html: Update test as SHA-1 is not
+ a supported hash algorithm per the Content Security Policy Level 3 spec.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-malformed-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html: Update test
+ as SHA-1 is not a supported hash algorithm per the Content Security Policy Level 3 spec.
+ * http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html: Update test
+ as SHA-1 is not a supported hash algorithm per the Content Security Policy Level 3 spec.
+
</ins><span class="cx"> 2016-03-10 Frederic Wang <fwang@igalia.com>
</span><span class="cx">
</span><span class="cx"> [GTK] Add support for WOFF2
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/TestExpectations 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -819,15 +819,21 @@
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php [ Pass ]
</span><ins>+http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scripthash-malformed.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html [ Pass ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-basics.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html [ Pass ]
</span><del>-webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
-webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
-webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
</del><ins>+http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html [ Pass ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-affects-child.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-data.html [ Pass ]
</span><span class="lines">@@ -838,6 +844,7 @@
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html [ Pass ]
</span><ins>+webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
</ins><span class="cx"> webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
</span><span class="cx"> webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
</span><span class="cx"> webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
</span><span class="lines">@@ -850,6 +857,9 @@
</span><span class="cx"> webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-blocked.html # Needs testRunner.getManifestThen()
</span><span class="cx"> webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html
</span><ins>+webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-error-event.html
+webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html
+webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html
</ins><span class="cx"> webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child.html [ Failure ]
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ]
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcesdidRunInlineScriptEpiloguejs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptEpilogue.js (0 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptEpilogue.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptEpilogue.js 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+window.parent.checkResult(didRunInlineScript);
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcesdidRunInlineScriptProloguejs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptPrologue.js (0 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptPrologue.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/didRunInlineScriptPrologue.js 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+var didRunInlineScript = false;
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcestestScriptHashphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/testScriptHash.php (0 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/testScriptHash.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/testScriptHash.php 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<?php
+ header("Expires: Thu, 01 Dec 2003 16:00:00 GMT");
+ header("Cache-Control: no-cache, must-revalidate");
+ header("Pragma: no-cache");
+ header("Content-Type: text/html; charset=" . (empty($_GET["charset"]) ? "UTF8" : $_GET["charset"]));
+ header("Content-Security-Policy: script-src 'self' " . $_GET["hashSource"]);
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<script src="didRunInlineScriptPrologue.js"></script>
+<script><?php echo $_GET["script"]; ?></script> <!-- Will only execute if $_GET["hashSource"] represents a valid hash of this script. -->
+<script src="didRunInlineScriptEpilogue.js"></script>
+</head>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed.html (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed.html 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,12 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-vMUNaexq6wlYKxWWPlJUOvhn67U=' 'sha256-j+ToFnhur5mTSCwoyy4Fh29+1BNMVEZ0MBvG5db0dA4=' 'sha384-S/1WrU/8y14JzSAhjkxjd8sZLP10LDlHuH8Mi24OwMNJ6wSry7J8ln0KeaibHHBW' 'sha512-0tQJUSPHRGUYQIa2ByQWZSlUa5sI3e2tOEXF7sg5mjmsHk/EHDTTORIDyMPhDKgCmdYdb7TIrwhLrq2kEvfjHQ=='">
</del><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.dumpAsText();
</span><span class="cx"> alert('PASS (1/4)');
</span><span class="cx"> </script>
</span><ins>+ <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-j+ToFnhur5mTSCwoyy4Fh29+1BNMVEZ0MBvG5db0dA4=' 'sha384-S/1WrU/8y14JzSAhjkxjd8sZLP10LDlHuH8Mi24OwMNJ6wSry7J8ln0KeaibHHBW' 'sha512-0tQJUSPHRGUYQIa2ByQWZSlUa5sI3e2tOEXF7sg5mjmsHk/EHDTTORIDyMPhDKgCmdYdb7TIrwhLrq2kEvfjHQ=='">
</ins><span class="cx"> <script>
</span><span class="cx"> alert('PASS (2/4)');
</span><span class="cx"> </script>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashbasicblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-expected.txt 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,10 +1,10 @@
</span><span class="cx"> ALERT: PASS (1/1)
</span><del>-CONSOLE MESSAGE: line 10: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='". Either the 'unsafe-inline' keyword, a hash ('sha256-bXMksCHhVxMyxdbJpZuZicpO8HCDLuN9ZzcfnlVeN4k='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 10: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 13: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='". Either the 'unsafe-inline' keyword, a hash ('sha256-WJxPiOlT6TFxc+Ol71ivP0eHtjokcBKNXLU0usIYZz4='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 13: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 15: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='". Either the 'unsafe-inline' keyword, a hash ('sha256-IytoJzJfZC0NOAbaSFNz+QyLVnbrELCXScgDL6ldIwE='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 15: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='". Either the 'unsafe-inline' keyword, a hash ('sha256-GK8kAPOt6ZIhmzOr3QzHpIkbTXB/Jpc6PXuliF2zoj0='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'".
</ins><span class="cx">
</span><span class="cx"> This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and four console warings are visible.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashbasicblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked.html (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked.html 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='">
</del><ins>+ <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE'">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashdefaultsrcexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src-expected.txt (0 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src-expected.txt 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS Script Hash allow hash in default-src
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashignoreunsafeinlineexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline-expected.txt 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><span class="cx"> ALERT: PASS (1/1)
</span><del>-CONSOLE MESSAGE: line 10: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=' 'unsafe-inline'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
</del><ins>+CONSOLE MESSAGE: line 10: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE' 'unsafe-inline'".
</ins><span class="cx">
</span><span class="cx"> This tests that a valid hash value disables inline JavaScript, even if 'unsafe-inline' is present.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashignoreunsafeinlinehtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline.html (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline.html 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-ignore-unsafeinline.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=' 'unsafe-inline'">
</del><ins>+ <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-0WwzeJrO6lcDUe7o6BR3lx0b8uiBvXBX5MNFFKF7iYE' 'unsafe-inline'">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashmalformedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-malformed-expected.txt (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-malformed-expected.txt 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-malformed-expected.txt 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,4 +1,5 @@
</span><del>-CONSOLE MESSAGE: line 5: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-j+ToFnhur5mTSCwoyy4Fh'. It will be ignored.
-CONSOLE MESSAGE: line 5: Unrecognized Content-Security-Policy directive ''sha512-0tQJUSPHRGUYQIa2ByQWZSlUa5sI3e2tOEXF7sg5mjmsHk/EHDTTORIDyMPhDKgCmb7TIrwhLrq2kEvfjHQ==''.
</del><ins>+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha1-vMUNaexq6wlYKxWWPlJUOvhn67U=''. It will be ignored.
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-j+ToFnhur5mTSCwoyy4Fh'. It will be ignored.
+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive ''sha512-0tQJUSPHRGUYQIa2ByQWZSlUa5sI3e2tOEXF7sg5mjmsHk/EHDTTORIDyMPhDKgCmb7TIrwhLrq2kEvfjHQ==''.
</ins><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt (0 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -0,0 +1,84 @@
</span><ins>+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-rrdh0QCl46qqHxfnnk08ydh/rkhVi2JvD6DLuUP30MI='".
+
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-W4kKNfgvUMesHeVX1eGn6f3LfuntH7p4YjLeOauCA/I='".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA=''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha-dummy''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha-dummy'".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''d&mmy''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'd&mmy'".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA=''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' '/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='".
+
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha384-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='".
+
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha512-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/Vet2Rva6wwsny8xybL+=bQal0Gtf0FZW7EOVqqg+Hna=''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-/Vet2Rva6wwsny8xybL+=bQal0Gtf0FZW7EOVqqg+Hna='".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA==''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA=='".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA===''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA==='".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-'. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-'".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-#''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-#'".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-abc&=''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-abc&='".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-abc&==''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-abc&=='".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-LyogVGhpcyBpcyBhIGxvbmcgY29tbWVudCB0aGF0IHdpbGwgYmUgZW5jb2RlZCB1c2luZyBCYXNlNjQgdG8gcHJvZHVjZSBhbiBlbmNvZGVkIHN0cmluZyBvdXRwdXQgdGhhdCBpcyBsb25nZXIgdGhhbiBhIFNlY3VyZSBIYXNoIEFsZ29yaXRobS01MTIgZGlnZXN0LiAqLw==''. It will be ignored.
+CONSOLE MESSAGE: line 5: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-LyogVGhpcyBpcyBhIGxvbmcgY29tbWVudCB0aGF0IHdpbGwgYmUgZW5jb2RlZCB1c2luZyBCYXNlNjQgdG8gcHJvZHVjZSBhbiBlbmNvZGVkIHN0cmluZyBvdXRwdXQgdGhhdCBpcyBsb25nZXIgdGhhbiBhIFNlY3VyZSBIYXNoIEFsZ29yaXRobS01MTIgZGlnZXN0LiAqLw=='".
+
+This tests that script hashes work and conform to the Content Security Policy 2.0 specification.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS "Base64 encoded SHA-256 hash" did run inline script.
+PASS "Base64 encoded SHA-256 hash with mixed case prefix" did run inline script.
+PASS "Base64url encoded SHA-256 hash" did run inline script.
+PASS "Base64 encoded SHA-384 hash" did run inline script.
+PASS "Base64url encoded SHA-384 hash" did run inline script.
+PASS "Base64 encoded SHA-512 hash" did run inline script.
+PASS "Base64url encoded SHA-512 hash" did run inline script.
+PASS "Script that contains HTML entity &gt;" did run inline script.
+PASS "Script that contains Unicode code point U+00C5" did run inline script.
+PASS "Unicode code point U+00C5 is not equivalent to U+212B" did not run inline script.
+PASS "Unicode code point U+212B is equivalent to U+00C5" did run inline script.
+PASS "Big-5 page with Big-5 hash" did run inline script.
+PASS "Big-5 page with UTF-8 hash" did not run inline script.
+PASS "Hash source with invalid prefix" did not run inline script.
+PASS "Invalid prefix" did not run inline script.
+PASS "Invalid hash and no prefix" did not run inline script.
+PASS "Hash without prefix" did not run inline script.
+PASS "SHA-256 hash with SHA-384 prefix" did not run inline script.
+PASS "SHA-256 hash with SHA-512 prefix" did not run inline script.
+PASS "Malformed SHA-256 hash (equal sign in disallowed position)" did not run inline script.
+PASS "SHA-256 hash with one extraneous equal sign" did not run inline script.
+PASS "SHA-256 hash with two extraneous equal signs" did not run inline script.
+PASS "Malformed hash source" did not run inline script.
+PASS "Hash source without hash" did not run inline script.
+PASS "Hash source without invalid hash" did not run inline script.
+PASS "Hash source without invalid hash2" did not run inline script.
+PASS "Hash source without invalid hash3" did not run inline script.
+PASS "Hash that is larger that 64 bytes" did not run inline script.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html (0 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -0,0 +1,275 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+const DoNotRunInlineScript = false;
+const RunInlineScript = true;
+
+var tests = [
+// Simple
+{
+ name: "Base64 encoded SHA-256 hash",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='",
+ expectedResult: RunInlineScript,
+},
+{
+ name: "Base64 encoded SHA-256 hash with mixed case prefix",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'SHa256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='",
+ expectedResult: RunInlineScript,
+},
+{
+ name: "Base64url encoded SHA-256 hash",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'SHa256-_vET2rVA6WWSNY8XYBl-BqAL0gTF0fzw7eovQQG-hNA='",
+ expectedResult: RunInlineScript,
+},
+{
+ name: "Base64 encoded SHA-384 hash",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha384-+2z3lkISbDOt4AKFTEPrIPQK77NC7dumupDVevpcOzg5bsdmKh0tI9t6kDLJzEqH'",
+ expectedResult: RunInlineScript,
+},
+{
+ name: "Base64url encoded SHA-384 hash",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha384--2z3lkISbDOt4AKFTEPrIPQK77NC7dumupDVevpcOzg5bsdmKh0tI9t6kDLJzEqH'",
+ expectedResult: RunInlineScript,
+},
+{
+ name: "Base64 encoded SHA-512 hash",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha512-Qh1vKVk9nyoM8LWzH9RkfEBQNxky/6izE0GbZ2D7RkwwuTQPC2pIG+ReFxOfnijVvqeopfYZShxvpLIGWdpRwg=='",
+ expectedResult: RunInlineScript,
+},
+{
+ name: "Base64url encoded SHA-512 hash",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha512-Qh1vKVk9nyoM8LWzH9RkfEBQNxky_6izE0GbZ2D7RkwwuTQPC2pIG-ReFxOfnijVvqeopfYZShxvpLIGWdpRwg=='",
+ expectedResult: RunInlineScript,
+},
+// HTML entity test case
+{
+ name: "Script that contains HTML entity &gt;",
+ charset: "UTF8",
+ script: "didRunInlineScript+%3D+true%3B+//+%26gt%3B",
+ hashSource: "'sha256-Wcu0hRB2z5RQ2pcRLxzsVob2mmIuW0Qt+xRwr5n6hKM='",
+ expectedResult: RunInlineScript,
+},
+// Unicode normalization test cases
+{
+ name: "Script that contains Unicode code point U+00C5",
+ charset: "UTF8",
+ script: "didRunInlineScript+%3D+true%3B+//+%C3%85", // %C3%85 is the URL encoded UTF-8 byte sequence for U+00C5.
+ hashSource: "'sha256-K3oo3dJj28X47TIh/UinhDWS3C5DfcQVCRzw4JM7SWE='",
+ expectedResult: RunInlineScript,
+},
+{
+ name: "Unicode code point U+00C5 is not equivalent to U+212B",
+ charset: "UTF8",
+ script: "didRunInlineScript+%3D+true%3B+//+%C3%85", // %C3%85 is the URL encoded UTF-8 byte sequence for U+00C5.
+ hashSource: "'sha256-rrdh0QCl46qqHxfnnk08ydh/rkhVi2JvD6DLuUP30MI='", // Hash of "didRunInlineScript+%3D+true%3B+//+%E2%84%AB"
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Unicode code point U+212B is equivalent to U+00C5",
+ charset: "UTF8",
+ script: "didRunInlineScript+%3D+true%3B+//+%E2%84%AB", // %E2%84%AB is the URL encoded UTF-8 byte sequence for U+212B.
+ hashSource: "'sha256-K3oo3dJj28X47TIh/UinhDWS3C5DfcQVCRzw4JM7SWE='", // Intentionally not 'sha256-rrdh0QCl46qqHxfnnk08ydh/rkhVi2JvD6DLuUP30MI='
+ expectedResult: RunInlineScript,
+},
+// Big-5 encoding test cases
+{
+ name: "Big-5 page with Big-5 hash",
+ charset: "Big5",
+ script: "didRunInlineScript+%3D+true%3B+//+%A4%F4",
+ hashSource: "'sha256-J08nmORtZZyj86mnbklnHBObVEnsakqZcYsabqsSJmc='",
+ expectedResult: RunInlineScript,
+},
+{
+ name: "Big-5 page with UTF-8 hash",
+ charset: "Big5",
+ script: "didRunInlineScript+%3D+true%3B+//+%A4%F4",
+ hashSource: "'sha256-W4kKNfgvUMesHeVX1eGn6f3LfuntH7p4YjLeOauCA/I='",
+ expectedResult: DoNotRunInlineScript,
+},
+// Malformed and invalid test cases
+{
+ name: "Hash source with invalid prefix",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Invalid prefix",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha-dummy'",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Invalid hash and no prefix",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'d&mmy'",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Hash without prefix",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "SHA-256 hash with SHA-384 prefix",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha384-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "SHA-256 hash with SHA-512 prefix",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha512-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Malformed SHA-256 hash (equal sign in disallowed position)",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-/Vet2Rva6wwsny8xybL+=bQal0Gtf0FZW7EOVqqg+Hna='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "SHA-256 hash with one extraneous equal sign",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA=='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "SHA-256 hash with two extraneous equal signs",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA==='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Malformed hash source",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Hash source without hash",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-'",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Hash source without invalid hash",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-#'",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Hash source without invalid hash2",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-abc&='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Hash source without invalid hash3",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-abc&=='",
+ expectedResult: DoNotRunInlineScript,
+},
+{
+ name: "Hash that is larger that 64 bytes",
+ charset: "UTF8",
+ script: encodeURIComponent("didRunInlineScript = true;"),
+ hashSource: "'sha256-LyogVGhpcyBpcyBhIGxvbmcgY29tbWVudCB0aGF0IHdpbGwgYmUgZW5jb2RlZCB1c2luZyBCYXNlNjQgdG8gcHJvZHVjZSBhbiBlbmNvZGVkIHN0cmluZyBvdXRwdXQgdGhhdCBpcyBsb25nZXIgdGhhbiBhIFNlY3VyZSBIYXNoIEFsZ29yaXRobS01MTIgZGlnZXN0LiAqLw=='",
+ expectedResult: DoNotRunInlineScript,
+},
+];
+
+var indexOfCurrentTest = -1;
+var frame;
+
+function testsFinished()
+{
+ document.body.removeChild(frame);
+ finishJSTest();
+}
+
+function checkResult(didRunInlineScript)
+{
+ var test = tests[indexOfCurrentTest];
+ var expectedResult = test.expectedResult;
+ var message;
+ if (expectedResult === didRunInlineScript) {
+ if (expectedResult === RunInlineScript)
+ message = "did run inline script.";
+ else
+ message = "did not run inline script.";
+ testPassed('"' + test.name + '" ' + message);
+ } else {
+ if (expectedResult === RunInlineScript)
+ message = "should have run inline script. But did not.";
+ else
+ message = "should not have ran inline script. But did.";
+ testFailed('"' + test.name + '" ' + message);
+ }
+ runNextTest();
+}
+
+function runNextTest()
+{
+ if (++indexOfCurrentTest >= tests.length) {
+ testsFinished();
+ return;
+ }
+ var test = tests[indexOfCurrentTest];
+ var queryStringArguments = {
+ charset: encodeURIComponent(test.charset),
+ script: test.script, // The test is responsible for URL encoding this value.
+ hashSource: encodeURIComponent(test.hashSource),
+ };
+ var queryString = Object.keys(queryStringArguments).map(function (key) { return key + "=" + queryStringArguments[key]; }).join("&");
+ frame.src = "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/resources/testScriptHash.php?" + queryString;
+}
+
+window.onload = function ()
+{
+ frame = document.getElementById("frame");
+ runNextTest();
+}
+</script>
+</head>
+<body>
+<script>
+ description("This tests that script hashes work and conform to the Content Security Policy 2.0 specification.");
+</script>
+<iframe id="frame"></iframe>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashunicodenormalizationhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -2,7 +2,7 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</span><del>- <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-zv73epHrGLk/k/onuSBPoZAxzaA=' 'sha1-gbGNUiHncUNJ+diPbIoc+x6KrLo='">
</del><ins>+ <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-OBpkpZD3ME366d9wfdsWwYSvYORUMfT+bvUVI5XJzBw=' 'sha256-bYf1lsJFPmWnm4DhDJwwaEKKonw7TN3KLz5M8J0PpIE='">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashallowedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed-expected.txt (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed-expected.txt 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed-expected.txt 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,11 +1,8 @@
</span><del>-ALERT: PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.
-ALERT: PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.
-ALERT: PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.
-ALERT: PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied.
</del><ins>+ALERT: PASS (1/3): The '#p1' element's text is green, which means the style was correctly applied.
+ALERT: PASS (2/3): The '#p2' element's text is green, which means the style was correctly applied.
+ALERT: PASS (3/3): The '#p3' element's text is green, which means the style was correctly applied.
</ins><span class="cx"> This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p1 is fired.
</span><span class="cx">
</span><span class="cx"> This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p2 is fired.
</span><span class="cx">
</span><span class="cx"> This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p3 is fired.
</span><del>-
-This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p4 is fired.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashallowedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,44 +1,36 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <meta http-equiv="Content-Security-Policy" content="style-src 'sha1-eYyYGmKWdhpUewohaXk9o8IaLSw=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='">
</del><ins>+ <meta http-equiv="Content-Security-Policy" content="style-src 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha384-24Tf5u9STWAAJB2RRvecrrMSPtgnGnL8lx/mnxBm9P1mSHLW01CGK2U5WL6SAI/A' 'sha512-0x+WTjqWkJm9la1gVWtFpuSjwY+f1bJMQukr+nPcc3bgGSxakvxY01D7UvR4qEKEo/PWfsmJOgH2i8GKBFMYMQ=='">
</ins><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="cx"> <p id="p1">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p1 is fired.</p>
</span><span class="cx"> <p id="p2">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p2 is fired.</p>
</span><span class="cx"> <p id="p3">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p3 is fired.</p>
</span><del>- <p id="p4">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p4 is fired.</p>
</del><span class="cx"> <style>p#p1 { color: green; }</style>
</span><span class="cx"> <style>p#p2 { color: green; }</style>
</span><span class="cx"> <style>p#p3 { color: green; }</style>
</span><del>- <style>p#p4 { color: green; }</style>
</del><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.dumpAsText();
</span><span class="cx">
</span><span class="cx"> var color = window.getComputedStyle(document.querySelector('#p1')).color;
</span><span class="cx"> if (color === "rgb(0, 128, 0)")
</span><del>- alert("PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.");
</del><ins>+ alert("PASS (1/3): The '#p1' element's text is green, which means the style was correctly applied.");
</ins><span class="cx"> else
</span><del>- alert("FAIL (1/4): The '#p1' element's text is " + color + ", which means the style was incorrectly applied.");
</del><ins>+ alert("FAIL (1/3): The '#p1' element's text is " + color + ", which means the style was incorrectly applied.");
</ins><span class="cx">
</span><span class="cx"> var color = window.getComputedStyle(document.querySelector('#p2')).color;
</span><span class="cx"> if (color === "rgb(0, 128, 0)")
</span><del>- alert("PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.");
</del><ins>+ alert("PASS (2/3): The '#p2' element's text is green, which means the style was correctly applied.");
</ins><span class="cx"> else
</span><del>- alert("FAIL (2/4): The '#p2' element's text is " + color + ", which means the style was incorrectly applied.");
</del><ins>+ alert("FAIL (2/3): The '#p2' element's text is " + color + ", which means the style was incorrectly applied.");
</ins><span class="cx">
</span><span class="cx"> var color = window.getComputedStyle(document.querySelector('#p3')).color;
</span><span class="cx"> if (color === "rgb(0, 128, 0)")
</span><del>- alert("PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.");
</del><ins>+ alert("PASS (3/3): The '#p3' element's text is green, which means the style was correctly applied.");
</ins><span class="cx"> else
</span><del>- alert("FAIL (3/4): The '#p3' element's text is " + color + ", which means the style was incorrectly applied.");
-
- var color = window.getComputedStyle(document.querySelector('#p4')).color;
- if (color === "rgb(0, 128, 0)")
- alert("PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied.");
- else
- alert("FAIL (4/4): The '#p4' element's text is " + color + ", which means the style was incorrectly applied.");
</del><ins>+ alert("FAIL (3/3): The '#p3' element's text is " + color + ", which means the style was incorrectly applied.");
</ins><span class="cx"> </script>
</span><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashbasicblockederroreventhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -2,7 +2,7 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <title>Style element has error on bad style hash</title>
</span><del>- <meta http-equiv="Content-Security-Policy" content="style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='">
</del><ins>+ <meta http-equiv="Content-Security-Policy" content="style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='">
</ins><span class="cx"> <script src="/js-test-resources/testharness.js"></script>
</span><span class="cx"> <script src="/js-test-resources/testharnessreport.js"></script>
</span><span class="cx"> <script>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashbasicblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,8 +1,8 @@
</span><del>-CONSOLE MESSAGE: line 6: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='". Either the 'unsafe-inline' keyword, a hash ('sha256-pckGv9YvNcB5xy+Y4fbqhyo+ib850wyiuWeNbZvLi00='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 6: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 7: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='". Either the 'unsafe-inline' keyword, a hash ('sha256-QtAhp+kqgljyNFcV4FsL0pofPI/L7IVXid6JT5PtsZA='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 7: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 8: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='". Either the 'unsafe-inline' keyword, a hash ('sha256-QSqLgiKqPxCeZH1d3vWR+4HJOthCVhvG1P/AFaVJfR4='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 8: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='".
</ins><span class="cx">
</span><span class="cx"> ALERT: PASS: The 'p' element's text is green, which means the style was correctly applied.
</span><span class="cx"> This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and three console warnings are visible.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashbasicblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <meta http-equiv="Content-Security-Policy" content="style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='">
</del><ins>+ <meta http-equiv="Content-Security-Policy" content="style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='">
</ins><span class="cx"> <style>p { color: green; }</style>
</span><span class="cx"> <style>p { color: red; }</style>
</span><span class="cx"> <style>p { color: purple; }</style>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashdefaultsrcexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src-expected.txt (0 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src-expected.txt 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS Style Hash allow hash in default-src
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylehashsvgstylebasicblockederroreventhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -2,7 +2,7 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <title>SVG Style element has error on bad style hash</title>
</span><del>- <meta http-equiv="Content-Security-Policy" content="style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='">
</del><ins>+ <meta http-equiv="Content-Security-Policy" content="style-src 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='">
</ins><span class="cx"> <script src="/js-test-resources/testharness.js"></script>
</span><span class="cx"> <script src="/js-test-resources/testharnessreport.js"></script>
</span><span class="cx"> <script>
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/ChangeLog 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -1,3 +1,95 @@
</span><ins>+2016-03-10 Daniel Bates <dabates@apple.com>
+
+ CSP: Implement support for inline script and inline style hashes
+ https://bugs.webkit.org/show_bug.cgi?id=155007
+ <rdar://problem/24964098>
+
+ Reviewed by Brent Fulgham.
+
+ Inspiration taken from the analogous implementation in Blink.
+
+ Add support for script-src and style-src hashes as per sections Hash usage for script elements
+ and Hash usage for style elements of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Test: http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html
+
+ * WebCore.xcodeproj/project.pbxproj: Add file ContentSecurityPolicyHash.h. Also sort the list of files
+ in the group WebCore/page/csp.
+ * dom/InlineStyleSheetOwner.cpp:
+ (WebCore::InlineStyleSheetOwner::createSheet): Pass the content of the stylesheet when querying whether
+ the stylesheet is allowed by the Content Security Policy.
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::executeScript): Pass the content of the inline JavaScript script when querying
+ whether the script is allowed by the Content Security Policy.
+ * dom/StyledElement.cpp:
+ (WebCore::StyledElement::styleAttributeChanged): The Content Security Policy style-src hashes do not apply
+ to inline styles defined in the HTML style attribute. So, pass a null string (to indicate the absence of
+ content) when querying whether the inline style is allowed by the Content Security Policy.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::toCryptoDigestAlgorithm): Convenience function that maps a ContentSecurityPolicyHashAlgorithm
+ enumerator to a CryptoDigest::Algorithm enumerator.
+ (WebCore::isAllowedByAllWithHashFromContent): Computes the digest of the specified content for each
+ hash algorithm and checks if digest matches a hash that was specified in a policy.
+ (WebCore::ContentSecurityPolicy::documentEncoding): Added.
+ (WebCore::ContentSecurityPolicy::allowInlineScript): Check if the hash of the script matches a known
+ hash if applicable. Otherwise, fall back to checking the URL of the script.
+ (WebCore::ContentSecurityPolicy::allowInlineStyle): Check if the hash of the stylesheet matches a
+ known hash if applicable. Otherwise, fall back to checking the URL of the stylesheet.
+ * page/csp/ContentSecurityPolicy.h:
+ (WebCore::ContentSecurityPolicy::addHashAlgorithmsForInlineScripts): Adds the specified set of
+ hash algorithms to the existing set of hash algorithms we know are used for inline scripts.
+ (WebCore::ContentSecurityPolicy::addHashAlgorithmsForInlineStylesheets): Adds the specified set of
+ hash algorithms to the existing set of hash algorithms we know are used for inline stylesheets.
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::checkEval): Make this a static, non-member function because it does not depend on any
+ instance or class variables. Mark this function as inline to give a hint to the compiler that it
+ should consider inlining the implementation of this function into the caller.
+ (WebCore::checkInline): Ditto.
+ (WebCore::checkSource): Ditto.
+ (WebCore::checkHash): Checks if the directive allows content with the specified hash.
+ (WebCore::checkMediaType): Make this a static, non-member function because it does not depend on
+ any instance or class variables. Mark this function as inline to give a hint to the compiler that
+ it should consider inlining the implementation of this function into the caller.
+ (WebCore::ContentSecurityPolicyDirectiveList::create): Modified as needed now that WebCore::checkEval()
+ is a static, non-member function.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowInlineScriptWithHash): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowInlineStyleWithHash): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Modified to pass the hash algorithms seen
+ from parsing the directives script-src, style-src, and default-src to the ContentSecurityPolicy object.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkEval): Deleted.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkInline): Deleted.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkSource): Deleted.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkMediaType): Deleted.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ * page/csp/ContentSecurityPolicyHash.h: Added.
+ (WTF::DefaultHash<WebCore::ContentSecurityPolicyDigest>::Hash::hash): Compute the hash of a digest as
+ we would compute the hash of a string.
+ (WTF::DefaultHash<WebCore::ContentSecurityPolicyDigest>::Hash::equal): Compare digests for equality
+ by making use of Vector's equality operator.
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::ContentSecurityPolicySourceList::matches): Checks if the hash is in the set of known hashes.
+ (WebCore::ContentSecurityPolicySourceList::parse): Modified to call ContentSecurityPolicySourceList::parseHashSource()
+ to try to parse the source list expression as a hash source. If this fails then we try to parse the
+ source expression as a scheme/host/port expression.
+ (WebCore::parseHashAlgorithmAdvancingPosition): Parses the hash algorithm from a hash source expression.
+ (WebCore::isBase64Character): Returns whether the specified character is a valid Base64/Base64url character,
+ excluding the padding character '='. Disregarding the omission of the padding character '=', this function
+ conforms to the ABNF grammar defined in section Source Lists of the Content Security Policy Level 3 spec.,
+ <https://w3c.github.io/webappsec-csp> (Editor’s Draft, 29 February 2016). We take the padding character '='
+ into account in ContentSecurityPolicySourceList::parseHashSource().
+ (WebCore::ContentSecurityPolicySourceList::parseHashSource): Parses a hash source expression per the ABNF
+ grammar described in section Source Lists of the Content Security Policy Level 3 spec.
+ * page/csp/ContentSecurityPolicySourceList.h:
+ (WebCore::ContentSecurityPolicySourceList::hashAlgorithmsUsed): Returns the set of hash algorithms seen from
+ parsing the source list.
+ (WebCore::ContentSecurityPolicySourceList::allowInline): We only allow inline scripts/stylesheets if
+ 'unsafe-inline' was specified in the source list and the source list does not contain any hash sources.
+ * page/csp/ContentSecurityPolicySourceListDirective.cpp:
+ (WebCore::ContentSecurityPolicySourceListDirective::allows): Checks if the specified hash is in the source list.
+ * page/csp/ContentSecurityPolicySourceListDirective.h:
+ (WebCore::ContentSecurityPolicySourceListDirective::hashAlgorithmsUsed): Turns around and calls ContentSecurityPolicySourceList::hashAlgorithmsUsed().
+
+
</ins><span class="cx"> 2016-03-10 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Speculative revalidation requests do not have their 'first party for cookies' URL set
</span></span></pre></div>
<a id="trunkSourceWebCoreWebCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -6230,6 +6230,7 @@
</span><span class="cx"> CE7B2DB41586ABAD0098B3FA /* AlternativeTextUIController.mm in Sources */ = {isa = PBXBuildFile; fileRef = CE7B2DB01586ABAD0098B3FA /* AlternativeTextUIController.mm */; };
</span><span class="cx"> CE7B2DB51586ABAD0098B3FA /* TextAlternativeWithRange.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7B2DB11586ABAD0098B3FA /* TextAlternativeWithRange.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> CE7B2DB61586ABAD0098B3FA /* TextAlternativeWithRange.mm in Sources */ = {isa = PBXBuildFile; fileRef = CE7B2DB21586ABAD0098B3FA /* TextAlternativeWithRange.mm */; };
</span><ins>+ CE7E17831C83A49100AD06AF /* ContentSecurityPolicyHash.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7E17821C83A49100AD06AF /* ContentSecurityPolicyHash.h */; };
</ins><span class="cx"> CE95208A1811B475007A5392 /* WebSafeIncrementalSweeperIOS.h in Headers */ = {isa = PBXBuildFile; fileRef = C2C4CB1D161A131200D214DA /* WebSafeIncrementalSweeperIOS.h */; };
</span><span class="cx"> CEC337AD1A46071F009B8523 /* ServersSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CEC337AC1A46071F009B8523 /* ServersSPI.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> CEC337AF1A46086D009B8523 /* GraphicsServicesSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CEC337AE1A46086D009B8523 /* GraphicsServicesSPI.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -14250,6 +14251,7 @@
</span><span class="cx"> CE7B2DB01586ABAD0098B3FA /* AlternativeTextUIController.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = AlternativeTextUIController.mm; sourceTree = "<group>"; };
</span><span class="cx"> CE7B2DB11586ABAD0098B3FA /* TextAlternativeWithRange.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TextAlternativeWithRange.h; sourceTree = "<group>"; };
</span><span class="cx"> CE7B2DB21586ABAD0098B3FA /* TextAlternativeWithRange.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = TextAlternativeWithRange.mm; sourceTree = "<group>"; };
</span><ins>+ CE7E17821C83A49100AD06AF /* ContentSecurityPolicyHash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ContentSecurityPolicyHash.h; path = csp/ContentSecurityPolicyHash.h; sourceTree = "<group>"; };
</ins><span class="cx"> CEC337AC1A46071F009B8523 /* ServersSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ServersSPI.h; sourceTree = "<group>"; };
</span><span class="cx"> CEC337AE1A46086D009B8523 /* GraphicsServicesSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GraphicsServicesSPI.h; sourceTree = "<group>"; };
</span><span class="cx"> CECADFC2153778FF00E37068 /* DictationAlternative.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DictationAlternative.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -23197,6 +23199,7 @@
</span><span class="cx"> CE799FA21C6A503A0097B518 /* ContentSecurityPolicyDirective.h */,
</span><span class="cx"> CE799F991C6A4BCD0097B518 /* ContentSecurityPolicyDirectiveList.cpp */,
</span><span class="cx"> CE799F9A1C6A4BCD0097B518 /* ContentSecurityPolicyDirectiveList.h */,
</span><ins>+ CE7E17821C83A49100AD06AF /* ContentSecurityPolicyHash.h */,
</ins><span class="cx"> CE799FA51C6A50570097B518 /* ContentSecurityPolicyMediaListDirective.cpp */,
</span><span class="cx"> CE799FA61C6A50570097B518 /* ContentSecurityPolicyMediaListDirective.h */,
</span><span class="cx"> CE6DADF71C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp */,
</span><span class="lines">@@ -25297,6 +25300,7 @@
</span><span class="cx"> 97C471DC12F925BD0086354B /* ContentSecurityPolicy.h in Headers */,
</span><span class="cx"> CE799FA41C6A503A0097B518 /* ContentSecurityPolicyDirective.h in Headers */,
</span><span class="cx"> CE799F9C1C6A4BCD0097B518 /* ContentSecurityPolicyDirectiveList.h in Headers */,
</span><ins>+ CE7E17831C83A49100AD06AF /* ContentSecurityPolicyHash.h in Headers */,
</ins><span class="cx"> CE799FA81C6A50570097B518 /* ContentSecurityPolicyMediaListDirective.h in Headers */,
</span><span class="cx"> CE6DADFA1C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h in Headers */,
</span><span class="cx"> CE799FA01C6A4C160097B518 /* ContentSecurityPolicySource.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceWebCoredomInlineStyleSheetOwnercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -135,7 +135,7 @@
</span><span class="cx">
</span><span class="cx"> if (!isValidCSSContentType(element, m_contentType))
</span><span class="cx"> return;
</span><del>- if (!document.contentSecurityPolicy()->allowInlineStyle(document.url(), m_startTextPosition.m_line, element.isInUserAgentShadowTree()))
</del><ins>+ if (!document.contentSecurityPolicy()->allowInlineStyle(document.url(), m_startTextPosition.m_line, text, element.isInUserAgentShadowTree()))
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> RefPtr<MediaQuerySet> mediaQueries;
</span></span></pre></div>
<a id="trunkSourceWebCoredomScriptElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ScriptElement.cpp 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -293,7 +293,7 @@
</span><span class="cx"> if (sourceCode.isEmpty())
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber, m_element.isInUserAgentShadowTree()))
</del><ins>+ if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber, sourceCode.source().toStringWithoutCopying(), m_element.isInUserAgentShadowTree()))
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> #if ENABLE(NOSNIFF)
</span></span></pre></div>
<a id="trunkSourceWebCoredomStyledElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/StyledElement.cpp (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/StyledElement.cpp 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/dom/StyledElement.cpp 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -202,7 +202,7 @@
</span><span class="cx"> if (PropertySetCSSStyleDeclaration* cssomWrapper = inlineStyleCSSOMWrapper())
</span><span class="cx"> cssomWrapper->clearParentElement();
</span><span class="cx"> ensureUniqueElementData().m_inlineStyle = nullptr;
</span><del>- } else if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url(), startLineNumber, isInUserAgentShadowTree()))
</del><ins>+ } else if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url(), startLineNumber, String(), isInUserAgentShadowTree()))
</ins><span class="cx"> setInlineStyleFromString(newStyleString);
</span><span class="cx">
</span><span class="cx"> elementData()->setStyleAttributeIsDirty(false);
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -29,8 +29,10 @@
</span><span class="cx">
</span><span class="cx"> #include "ContentSecurityPolicyDirective.h"
</span><span class="cx"> #include "ContentSecurityPolicyDirectiveList.h"
</span><ins>+#include "ContentSecurityPolicyHash.h"
</ins><span class="cx"> #include "ContentSecurityPolicySource.h"
</span><span class="cx"> #include "ContentSecurityPolicySourceList.h"
</span><ins>+#include "CryptoDigest.h"
</ins><span class="cx"> #include "DOMStringList.h"
</span><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "DocumentLoader.h"
</span><span class="lines">@@ -45,6 +47,7 @@
</span><span class="cx"> #include "SchemeRegistry.h"
</span><span class="cx"> #include "SecurityOrigin.h"
</span><span class="cx"> #include "SecurityPolicyViolationEvent.h"
</span><ins>+#include "TextEncoding.h"
</ins><span class="cx"> #include <inspector/InspectorValues.h>
</span><span class="cx"> #include <inspector/ScriptCallStack.h>
</span><span class="cx"> #include <inspector/ScriptCallStackFactory.h>
</span><span class="lines">@@ -183,6 +186,38 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static CryptoDigest::Algorithm toCryptoDigestAlgorithm(ContentSecurityPolicyHashAlgorithm algorithm)
+{
+ switch (algorithm) {
+ case ContentSecurityPolicyHashAlgorithm::SHA_256:
+ return CryptoDigest::Algorithm::SHA_256;
+ case ContentSecurityPolicyHashAlgorithm::SHA_384:
+ return CryptoDigest::Algorithm::SHA_384;
+ case ContentSecurityPolicyHashAlgorithm::SHA_512:
+ return CryptoDigest::Algorithm::SHA_512;
+ }
+ ASSERT_NOT_REACHED();
+ return CryptoDigest::Algorithm::SHA_512;
+}
+
+template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const ContentSecurityPolicyHash&) const>
+bool isAllowedByAllWithHashFromContent(const CSPDirectiveListVector& policies, const String& content, const TextEncoding& encoding, OptionSet<ContentSecurityPolicyHashAlgorithm> algorithms)
+{
+ // FIXME: Compute the digest with respect to the raw bytes received from the page.
+ // See <https://bugs.webkit.org/show_bug.cgi?id=155184>.
+ CString contentCString = encoding.encode(content, EntitiesForUnencodables);
+ for (auto algorithm : algorithms) {
+ auto cryptoDigest = CryptoDigest::create(toCryptoDigestAlgorithm(algorithm));
+ cryptoDigest->addBytes(contentCString.data(), contentCString.length());
+ Vector<uint8_t> digest = cryptoDigest->computeHash();
+ for (auto& policy : policies) {
+ if ((policy.get()->*allowed)(std::make_pair(algorithm, digest)))
+ return true;
+ }
+ }
+ return false;
+}
+
</ins><span class="cx"> template<bool (ContentSecurityPolicyDirectiveList::*allowFromURL)(const URL&, ContentSecurityPolicy::ReportingStatus) const>
</span><span class="cx"> bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
</span><span class="cx"> {
</span><span class="lines">@@ -206,16 +241,39 @@
</span><span class="cx"> return overrideContentSecurityPolicy || isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine, reportingStatus);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</del><ins>+// FIXME: We should compute the document encoding once and cache it instead of computing it on each invocation.
+const TextEncoding& ContentSecurityPolicy::documentEncoding() const
</ins><span class="cx"> {
</span><del>- return overrideContentSecurityPolicy || isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine, reportingStatus);
</del><ins>+ if (!is<Document>(m_scriptExecutionContext))
+ return UTF8Encoding();
+ Document& document = downcast<Document>(*m_scriptExecutionContext);
+ if (TextResourceDecoder* decoder = document.decoder())
+ return decoder->encoding();
+ return UTF8Encoding();
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</del><ins>+bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</ins><span class="cx"> {
</span><del>- return overrideContentSecurityPolicy || m_overrideInlineStyleAllowed || isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine, reportingStatus);
</del><ins>+ if (overrideContentSecurityPolicy)
+ return true;
+ if (!m_hashAlgorithmsForInlineScripts.isEmpty() && !scriptContent.isEmpty()
+ && isAllowedByAllWithHashFromContent<&ContentSecurityPolicyDirectiveList::allowInlineScriptWithHash>(m_policies, scriptContent, documentEncoding(), m_hashAlgorithmsForInlineScripts))
+ return true;
+ return isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine, reportingStatus);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ if (overrideContentSecurityPolicy)
+ return true;
+ if (m_overrideInlineStyleAllowed)
+ return true;
+ if (!m_hashAlgorithmsForInlineStylesheets.isEmpty() && !styleContent.isEmpty()
+ && isAllowedByAllWithHashFromContent<&ContentSecurityPolicyDirectiveList::allowInlineStyleWithHash>(m_policies, styleContent, documentEncoding(), m_hashAlgorithmsForInlineStylesheets))
+ return true;
+ return isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine, reportingStatus);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicy::allowEval(JSC::ExecState* state, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> return overrideContentSecurityPolicy || isAllowedByAllWithState<&ContentSecurityPolicyDirectiveList::allowEval>(m_policies, state, reportingStatus);
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx">
</span><span class="cx"> #include "ContentSecurityPolicyResponseHeaders.h"
</span><span class="cx"> #include "ScriptState.h"
</span><ins>+#include <wtf/OptionSet.h>
</ins><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx"> #include <wtf/text/TextPosition.h>
</span><span class="cx">
</span><span class="lines">@@ -43,8 +44,11 @@
</span><span class="cx"> class DOMStringList;
</span><span class="cx"> class ScriptExecutionContext;
</span><span class="cx"> class SecurityOrigin;
</span><ins>+class TextEncoding;
</ins><span class="cx"> class URL;
</span><span class="cx">
</span><ins>+enum class ContentSecurityPolicyHashAlgorithm;
+
</ins><span class="cx"> typedef Vector<std::unique_ptr<ContentSecurityPolicyDirectiveList>> CSPDirectiveListVector;
</span><span class="cx"> typedef int SandboxFlags;
</span><span class="cx">
</span><span class="lines">@@ -82,8 +86,8 @@
</span><span class="cx"> };
</span><span class="cx"> bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><del>- bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</del><ins>+ bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</ins><span class="cx"> bool allowEval(JSC::ExecState* = nullptr, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="lines">@@ -134,6 +138,14 @@
</span><span class="cx"> void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</span><span class="cx"> void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
</span><span class="cx"> void enforceSandboxFlags(SandboxFlags sandboxFlags) { m_sandboxFlags |= sandboxFlags; }
</span><ins>+ void addHashAlgorithmsForInlineScripts(OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsForInlineScripts)
+ {
+ m_hashAlgorithmsForInlineScripts |= hashAlgorithmsForInlineScripts;
+ }
+ void addHashAlgorithmsForInlineStylesheets(OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsForInlineStylesheets)
+ {
+ m_hashAlgorithmsForInlineStylesheets |= hashAlgorithmsForInlineStylesheets;
+ }
</ins><span class="cx">
</span><span class="cx"> // Used by ContentSecurityPolicySource
</span><span class="cx"> bool protocolMatchesSelf(const URL&) const;
</span><span class="lines">@@ -144,6 +156,8 @@
</span><span class="cx">
</span><span class="cx"> void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicy::PolicyFrom);
</span><span class="cx">
</span><ins>+ const TextEncoding& documentEncoding() const;
+
</ins><span class="cx"> ScriptExecutionContext* m_scriptExecutionContext { nullptr };
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySource> m_selfSource;
</span><span class="cx"> String m_selfSourceProtocol;
</span><span class="lines">@@ -151,6 +165,8 @@
</span><span class="cx"> String m_lastPolicyEvalDisabledErrorMessage;
</span><span class="cx"> SandboxFlags m_sandboxFlags;
</span><span class="cx"> bool m_overrideInlineStyleAllowed { false };
</span><ins>+ OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineScripts;
+ OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineStylesheets;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -105,6 +105,35 @@
</span><span class="cx"> return !isASCIISpace(c);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static inline bool checkEval(ContentSecurityPolicySourceListDirective* directive)
+{
+ return !directive || directive->allowEval();
+}
+
+static inline bool checkInline(ContentSecurityPolicySourceListDirective* directive)
+{
+ return !directive || directive->allowInline();
+}
+
+static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url)
+{
+ return !directive || directive->allows(url);
+}
+
+static inline bool checkHash(ContentSecurityPolicySourceListDirective* directive, const ContentSecurityPolicyHash& hash)
+{
+ return !directive || directive->allows(hash);
+}
+
+static inline bool checkMediaType(ContentSecurityPolicyMediaListDirective* directive, const String& type, const String& typeAttribute)
+{
+ if (!directive)
+ return true;
+ if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type)
+ return false;
+ return directive->allows(type);
+}
+
</ins><span class="cx"> ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList(ContentSecurityPolicy& policy, ContentSecurityPolicyHeaderType type)
</span><span class="cx"> : m_policy(policy)
</span><span class="cx"> , m_headerType(type)
</span><span class="lines">@@ -120,7 +149,7 @@
</span><span class="cx"> auto directives = std::make_unique<ContentSecurityPolicyDirectiveList>(policy, type);
</span><span class="cx"> directives->parse(header, from);
</span><span class="cx">
</span><del>- if (!directives->checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
</del><ins>+ if (!checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
</ins><span class="cx"> String message = makeString("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n");
</span><span class="cx"> directives->setEvalDisabledErrorMessage(message);
</span><span class="cx"> }
</span><span class="lines">@@ -137,30 +166,6 @@
</span><span class="cx"> m_policy.reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicyDirectiveList::checkEval(ContentSecurityPolicySourceListDirective* directive) const
-{
- return !directive || directive->allowEval();
-}
-
-bool ContentSecurityPolicyDirectiveList::checkInline(ContentSecurityPolicySourceListDirective* directive) const
-{
- return !directive || directive->allowInline();
-}
-
-bool ContentSecurityPolicyDirectiveList::checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url) const
-{
- return !directive || directive->allows(url);
-}
-
-bool ContentSecurityPolicyDirectiveList::checkMediaType(ContentSecurityPolicyMediaListDirective* directive, const String& type, const String& typeAttribute) const
-{
- if (!directive)
- return true;
- if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type)
- return false;
- return directive->allows(type);
-}
-
</del><span class="cx"> ContentSecurityPolicySourceListDirective* ContentSecurityPolicyDirectiveList::operativeDirective(ContentSecurityPolicySourceListDirective* directive) const
</span><span class="cx"> {
</span><span class="cx"> return directive ? directive : m_defaultSrc.get();
</span><span class="lines">@@ -278,6 +283,11 @@
</span><span class="cx"> return m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get()));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicyDirectiveList::allowInlineScriptWithHash(const ContentSecurityPolicyHash& hash) const
+{
+ return checkHash(operativeDirective(m_scriptSrc.get()), hash);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to apply inline style because it violates the following Content Security Policy directive: "));
</span><span class="lines">@@ -286,6 +296,11 @@
</span><span class="cx"> return m_reportOnly || checkInline(operativeDirective(m_styleSrc.get()));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicyDirectiveList::allowInlineStyleWithHash(const ContentSecurityPolicyHash& hash) const
+{
+ return checkHash(operativeDirective(m_styleSrc.get()), hash);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowEval(JSC::ExecState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to evaluate script because it violates the following Content Security Policy directive: "));
</span><span class="lines">@@ -579,18 +594,22 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!name.isEmpty());
</span><span class="cx">
</span><del>- if (equalLettersIgnoringASCIICase(name, defaultSrc))
</del><ins>+ if (equalLettersIgnoringASCIICase(name, defaultSrc)) {
</ins><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_defaultSrc);
</span><del>- else if (equalLettersIgnoringASCIICase(name, scriptSrc))
</del><ins>+ m_policy.addHashAlgorithmsForInlineScripts(m_defaultSrc->hashAlgorithmsUsed());
+ m_policy.addHashAlgorithmsForInlineStylesheets(m_defaultSrc->hashAlgorithmsUsed());
+ } else if (equalLettersIgnoringASCIICase(name, scriptSrc)) {
</ins><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_scriptSrc);
</span><del>- else if (equalLettersIgnoringASCIICase(name, objectSrc))
</del><ins>+ m_policy.addHashAlgorithmsForInlineScripts(m_scriptSrc->hashAlgorithmsUsed());
+ } else if (equalLettersIgnoringASCIICase(name, styleSrc)) {
+ setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_styleSrc);
+ m_policy.addHashAlgorithmsForInlineStylesheets(m_styleSrc->hashAlgorithmsUsed());
+ } else if (equalLettersIgnoringASCIICase(name, objectSrc))
</ins><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_objectSrc);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, frameSrc))
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_frameSrc);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, imgSrc))
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_imgSrc);
</span><del>- else if (equalLettersIgnoringASCIICase(name, styleSrc))
- setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_styleSrc);
</del><span class="cx"> else if (equalLettersIgnoringASCIICase(name, fontSrc))
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_fontSrc);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, mediaSrc))
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -28,6 +28,7 @@
</span><span class="cx"> #define ContentSecurityPolicyDirectiveList_h
</span><span class="cx">
</span><span class="cx"> #include "ContentSecurityPolicy.h"
</span><ins>+#include "ContentSecurityPolicyHash.h"
</ins><span class="cx"> #include "ContentSecurityPolicyMediaListDirective.h"
</span><span class="cx"> #include "ContentSecurityPolicySourceListDirective.h"
</span><span class="cx"> #include "URL.h"
</span><span class="lines">@@ -50,7 +51,9 @@
</span><span class="cx"> bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><ins>+ bool allowInlineScriptWithHash(const ContentSecurityPolicyHash&) const;
</ins><span class="cx"> bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><ins>+ bool allowInlineStyleWithHash(const ContentSecurityPolicyHash&) const;
</ins><span class="cx"> bool allowEval(JSC::ExecState*, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx">
</span><span class="lines">@@ -87,11 +90,6 @@
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective(ContentSecurityPolicySourceListDirective*) const;
</span><span class="cx"> void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL = URL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</span><span class="cx">
</span><del>- bool checkEval(ContentSecurityPolicySourceListDirective*) const;
- bool checkInline(ContentSecurityPolicySourceListDirective*) const;
- bool checkSource(ContentSecurityPolicySourceListDirective*, const URL&) const;
- bool checkMediaType(ContentSecurityPolicyMediaListDirective*, const String& type, const String& typeAttribute) const;
-
</del><span class="cx"> void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
</span><span class="cx">
</span><span class="cx"> bool checkEvalAndReportViolation(ContentSecurityPolicySourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyHashh"></a>
<div class="addfile"><h4>Added: trunk/Source/WebCore/page/csp/ContentSecurityPolicyHash.h (0 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyHash.h (rev 0)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyHash.h 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -0,0 +1,69 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef ContentSecurityPolicyHash_h
+#define ContentSecurityPolicyHash_h
+
+#include <wtf/HashTraits.h>
+#include <wtf/Hasher.h>
+#include <wtf/Vector.h>
+
+namespace WebCore {
+
+// Keep this synchronized with the constant maximumContentSecurityPolicyDigestLength below.
+enum class ContentSecurityPolicyHashAlgorithm {
+ SHA_256 = 1 << 0,
+ SHA_384 = 1 << 1,
+ SHA_512 = 1 << 2,
+};
+
+const size_t maximumContentSecurityPolicyDigestLength = 64; // bytes to hold SHA-512 digest
+
+typedef Vector<uint8_t> ContentSecurityPolicyDigest;
+typedef std::pair<ContentSecurityPolicyHashAlgorithm, ContentSecurityPolicyDigest> ContentSecurityPolicyHash;
+
+}
+
+namespace WTF {
+
+template<> struct DefaultHash<WebCore::ContentSecurityPolicyHashAlgorithm> { typedef IntHash<WebCore::ContentSecurityPolicyHashAlgorithm> Hash; };
+template<> struct HashTraits<WebCore::ContentSecurityPolicyHashAlgorithm> : StrongEnumHashTraits<WebCore::ContentSecurityPolicyHashAlgorithm> { };
+template<> struct DefaultHash<WebCore::ContentSecurityPolicyDigest> {
+ struct Hash {
+ static unsigned hash(const WebCore::ContentSecurityPolicyDigest& digest)
+ {
+ return StringHasher::computeHashAndMaskTop8Bits(digest.data(), digest.size());
+ }
+ static bool equal(const WebCore::ContentSecurityPolicyDigest& a, const WebCore::ContentSecurityPolicyDigest& b)
+ {
+ return a == b;
+ }
+ static const bool safeToCompareToEmptyOrDeleted = true;
+ };
+};
+
+}
+
+#endif // ContentSecurityPolicyHash_h
</ins><span class="cx">Property changes on: trunk/Source/WebCore/page/csp/ContentSecurityPolicyHash.h
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnkeywords"></a>
<div class="addfile"><h4>Added: svn:keywords</h4></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4>Added: svn:eol-style</h4></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -33,6 +33,8 @@
</span><span class="cx"> #include "SecurityOrigin.h"
</span><span class="cx"> #include "URL.h"
</span><span class="cx"> #include <wtf/ASCIICType.h>
</span><ins>+#include <wtf/NeverDestroyed.h>
+#include <wtf/text/Base64.h>
</ins><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="lines">@@ -125,6 +127,11 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicySourceList::matches(const ContentSecurityPolicyHash& hash) const
+{
+ return m_hashes.contains(hash);
+}
+
</ins><span class="cx"> // source-list = *WSP [ source *( 1*WSP source ) *WSP ]
</span><span class="cx"> // / *WSP "'none'" *WSP
</span><span class="cx"> //
</span><span class="lines">@@ -145,6 +152,9 @@
</span><span class="cx"> bool hostHasWildcard = false;
</span><span class="cx"> bool portHasWildcard = false;
</span><span class="cx">
</span><ins>+ if (parseHashSource(beginSource, position))
+ continue;
+
</ins><span class="cx"> if (parseSource(beginSource, position, scheme, host, port, path, hostHasWildcard, portHasWildcard)) {
</span><span class="cx"> // Wildcard hosts and keyword sources ('self', 'unsafe-inline',
</span><span class="cx"> // etc.) aren't stored in m_list, but as attributes on the source
</span><span class="lines">@@ -385,4 +395,72 @@
</span><span class="cx"> return ok;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static bool parseHashAlgorithmAdvancingPosition(const UChar*& position, size_t length, ContentSecurityPolicyHashAlgorithm& algorithm)
+{
+ static struct {
+ NeverDestroyed<String> label;
+ ContentSecurityPolicyHashAlgorithm algorithm;
+ } labelToHashAlgorithmTable[] {
+ { ASCIILiteral("sha256"), ContentSecurityPolicyHashAlgorithm::SHA_256 },
+ { ASCIILiteral("sha384"), ContentSecurityPolicyHashAlgorithm::SHA_384 },
+ { ASCIILiteral("sha512"), ContentSecurityPolicyHashAlgorithm::SHA_512 },
+ };
+
+ StringView stringView(position, length);
+ for (auto& entry : labelToHashAlgorithmTable) {
+ String& label = entry.label.get();
+ if (!stringView.startsWithIgnoringASCIICase(label))
+ continue;
+ position += label.length();
+ algorithm = entry.algorithm;
+ return true;
+ }
+ return false;
+}
+
+static bool isBase64Character(UChar c)
+{
+ return isASCIIAlphanumeric(c) || c == '+' || c == '/' || c == '-' || c == '_';
+}
+
+// hash-source = "'" hash-algorithm "-" base64-value "'"
+// hash-algorithm = "sha256" / "sha384" / "sha512"
+// base64-value = 1*( ALPHA / DIGIT / "+" / "/" / "-" / "_" )*2( "=" )
+bool ContentSecurityPolicySourceList::parseHashSource(const UChar* begin, const UChar* end)
+{
+ if (begin == end)
+ return false;
+
+ const UChar* position = begin;
+ if (!skipExactly<UChar>(position, end, '\''))
+ return false;
+
+ ContentSecurityPolicyHashAlgorithm algorithm;
+ if (!parseHashAlgorithmAdvancingPosition(position, end - position, algorithm))
+ return false;
+
+ if (!skipExactly<UChar>(position, end, '-'))
+ return false;
+
+ const UChar* beginHashValue = position;
+ skipWhile<UChar, isBase64Character>(position, end);
+ skipExactly<UChar>(position, end, '=');
+ skipExactly<UChar>(position, end, '=');
+ if (position >= end || position == beginHashValue || *position != '\'')
+ return false;
+ Vector<uint8_t> digest;
+ StringView hashValue(beginHashValue, position - beginHashValue); // base64url or base64 encoded
+ // FIXME: Normalize Base64URL to Base64 instead of decoding twice. See <https://bugs.webkit.org/show_bug.cgi?id=155186>.
+ if (!base64Decode(hashValue.toStringWithoutCopying(), digest, Base64ValidatePadding)) {
+ if (!base64URLDecode(hashValue.toStringWithoutCopying(), digest))
+ return false;
+ }
+ if (digest.size() > maximumContentSecurityPolicyDigestLength)
+ return false;
+
+ m_hashes.add(std::make_pair(algorithm, digest));
+ m_hashAlgorithmsUsed |= algorithm;
+ return true;
+}
+
</ins><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -27,8 +27,10 @@
</span><span class="cx"> #ifndef ContentSecurityPolicySourceList_h
</span><span class="cx"> #define ContentSecurityPolicySourceList_h
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicyHash.h"
</ins><span class="cx"> #include "ContentSecurityPolicySource.h"
</span><del>-#include <wtf/Vector.h>
</del><ins>+#include <wtf/HashSet.h>
+#include <wtf/OptionSet.h>
</ins><span class="cx"> #include <wtf/text/WTFString.h>
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="lines">@@ -41,8 +43,13 @@
</span><span class="cx"> ContentSecurityPolicySourceList(const ContentSecurityPolicy&, const String& directiveName);
</span><span class="cx">
</span><span class="cx"> void parse(const String&);
</span><ins>+
</ins><span class="cx"> bool matches(const URL&);
</span><del>- bool allowInline() const { return m_allowInline; }
</del><ins>+ bool matches(const ContentSecurityPolicyHash&) const;
+
+ OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsUsed() const { return m_hashAlgorithmsUsed; }
+
+ bool allowInline() const { return m_allowInline && m_hashes.isEmpty(); }
</ins><span class="cx"> bool allowEval() const { return m_allowEval; }
</span><span class="cx"> bool allowSelf() const { return m_allowSelf; }
</span><span class="cx">
</span><span class="lines">@@ -57,8 +64,12 @@
</span><span class="cx">
</span><span class="cx"> bool isProtocolAllowedByStar(const URL&) const;
</span><span class="cx">
</span><ins>+ bool parseHashSource(const UChar* begin, const UChar* end);
+
</ins><span class="cx"> const ContentSecurityPolicy& m_policy;
</span><span class="cx"> Vector<ContentSecurityPolicySource> m_list;
</span><ins>+ HashSet<ContentSecurityPolicyHash> m_hashes;
+ OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsUsed;
</ins><span class="cx"> String m_directiveName;
</span><span class="cx"> bool m_allowSelf { false };
</span><span class="cx"> bool m_allowStar { false };
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectivecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -47,4 +47,9 @@
</span><span class="cx"> return m_sourceList.matches(url);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicySourceListDirective::allows(const ContentSecurityPolicyHash& hash) const
+{
+ return m_sourceList.matches(hash);
+}
+
</ins><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectiveh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (197939 => 197940)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2016-03-10 16:57:11 UTC (rev 197939)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2016-03-10 17:46:06 UTC (rev 197940)
</span><span class="lines">@@ -39,9 +39,12 @@
</span><span class="cx"> ContentSecurityPolicySourceListDirective(const String& name, const String& value, const ContentSecurityPolicy&);
</span><span class="cx">
</span><span class="cx"> bool allows(const URL&);
</span><ins>+ bool allows(const ContentSecurityPolicyHash&) const;
</ins><span class="cx"> bool allowInline() const { return m_sourceList.allowInline(); }
</span><span class="cx"> bool allowEval() const { return m_sourceList.allowEval(); }
</span><span class="cx">
</span><ins>+ OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsUsed() const { return m_sourceList.hashAlgorithmsUsed(); }
+
</ins><span class="cx"> private:
</span><span class="cx"> ContentSecurityPolicySourceList m_sourceList;
</span><span class="cx"> };
</span></span></pre>
</div>
</div>
</body>
</html>